[BreachExchange] Ransomware: The pervasive business disruptor

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 28 20:05:42 EDT 2017


http://www.itproportal.com/features/ransomware-the-
pervasive-business-disruptor/

Ransomware is recognised as one of the main threats to digital business
today. It’s fast-becoming the most financially rewarding malware for cyber
criminals, leading to the proliferation of attacks across industries. In
recent years, this type of attack has been successful where poor security
practices were set in place to patch and prevent malware from infecting and
spreading. Without a backup and recovery system in place, organisations and
individuals have been forced to pay up in order to have their files
restored.

Globally, 49 per cent of businesses reported at least one cyber attack in
2016, of which 39 per cent was a ransomware attack. The US alone reported a
300 per cent rise in ransomware attacks from 2015 to 2016. The high-profile
WannaCry and Nyetya ransomware reflected a shift towards these attacks
being used to cause mass disruption against a range of different
industries. This trend can also be attributed to the growth of
Ransomware-as-a-Service (RaaS) in the first half of 2017*, where cyber
criminals pay the operators of RaaS platforms to launch the attacks. What’s
interesting is that  ransomware is increasingly accessible to cyber
criminals, even for those without programming skills.

The main reason behind the success of ransomware is that organisations are
largely unprepared for an attack. The WannaCry ransomware outbreak was able
to spread fast with its unexpected worm-like self-propagation capabilities
leveraging outdated and unsupported hardware and software of many
organisations’ network infrastructure and end points, which did not have
adequate countermeasures and updates in place.

Fighting back

Ransomware attacks undoubtedly signal a critical need for improvements to
cyber security, irrespective of industry or organisation size. Simply
certifying that an organisation’s firewall, anti-malware, and similar
protective measures are up to date is not always enough to protect it from
today’s malicious threats.  The key goal is to prevent the malware from
succeeding in being a business disruptor. The term ‘kill-chain’ is often
used to describe the way that attackers discover, infect, “go live” and
start to extract or encrypt data from targets, so disrupting this at any
stage will reduce the impact of a ransomware attack.

The following framework can be used as part of an organisation’s defence
strategy against ransomware.

1.       Predict: Threat intelligence services help to level the playing
field against such exploits by enabling organisations to stay updated on
threats to their business, allowing security professionals to proactively
block security holes and take action to prevent data loss or system
failures.

2.       Protect: Identity and Access Management tools are essential in
identifying enterprise device and computing assets, while Network Access
Control tools ensure that devices are compliant with the IT security
policies before allowing access to the network. These solutions can also
determine what patches have been applied and if the user is vulnerable to
the latest threats. All endpoints used by the enterprise should have
adequate protection with next-generation endpoint security that relies not
only on signatures, but also streaming-based techniques to prevent
successful exploitation of vulnerabilities across all operating systems.
Implementation of Next-Generation Firewalls adds an additional layer of
anti-malware scanning for known bad files, while linking to cloud-based
sandboxing detects unknown and new malware. Email security solutions will
also block threats and inbound phishing mails from suspicious domains as
well as remove spam. Applying web and domain name security can effectively
prevent the download of ransomware payloads after clicking on a malicious
link. Finally, educating users on how to identify phishing emails and not
to click on suspicious links is also vital to reducing the possibility of a
successful malware download on to a device.

3.       Detect: In case malware has already infiltrated an enterprise’s
endpoints or network, technologies should be in place to detect anomalies
in the enterprise infrastructure. Security analysts should closely monitor
the network around the clock to check for indicators of compromise, and
evaluate threats using security incident and events management (SIEM)
tools. Using AI and machine learning to detect malicious activity such as
“command and control” traffic and using that information to update
networking equipment will allow rapid isolation of infected networked
devices. Active threat hunting activities that can detect malware and
ransomware that have infiltrated the network and devices is especially
useful to hunt new ransomware that is propagating, but has yet to encrypt
files. The use of breach detection technologies such as deception tools and
24/7 threat monitoring services can detect if ransomware is propagating,
and trip the technology sensors when ransomware spreads, providing a form
of early warning system similar to smoke alarms for buildings.

4.       Respond: Businesses must also focus on ensuring business
resilience in the event of an attack. First and foremost, an organisation
should have a detailed incident response plan which includes ransomware
incident scenarios and a dedicated incident response team. And the plan
must be tested. Upon detection of ransomware incidents, security analysts
should promptly work on blocking malicious communication channels at the
firewall or intrusion prevention systems, and quarantine infected machines
as soon as possible. Network access control technologies will tag the
infected user to quarantine mode and prevent the spread of the malware
within the organisation. The use of endpoint security tools to eradicate
malware while under quarantine as well as conducting a thorough scan on the
rest of the network for traces of the ransomware in other devices is
necessary, requiring endpoint forensics tools to provide visibility. Breach
detection technology can be quickly deployed in areas after it has been
cleaned. These technologies can verify if an area is thoroughly clean of
ransomware, and monitor for any new infection.

5.       Recover: Backup is the last bastion against a successful
ransomware attack. If an enterprise can recover files from a backup, the
ransomware creators will not be paid. Therefore, backup plays a critical
role in the strategy for fast recovery. The backup system needs to prevent
the replication of files maliciously encrypted by ransomware, which can be
achieved with dynamic segmentation and inherent security features. Learning
from an attack, building security awareness throughout the organisation,
determining the areas that require improvement, as well as hardening
security technologies to prevent the next possible ransomware occurrence
are critical processes that should not be neglected.

As ransomware attacks propagate across industries, the fact is that every
enterprise is vulnerable if they do not implement the necessary security
measures to counter the evolving threat.  By implementing the framework
outlined above, businesses will have a fighting chance of disrupting an
attack before it can disrupt business operations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170928/a32be9e9/attachment.html>


More information about the BreachExchange mailing list